Splunk Search

Compare count of unique values over two different time periods

kennyja
Explorer

Please forgive my ignorance, I am newbie to Splunk. I am trying to depict a unique count of users over two different time periods and show a ratio between the two. I would like to the following: A=Active users that have logged on within the last 90 days by department, B= Active users that have logged on with the last 30 days by department C: ratio between A and B by department. I have figured how to get A and B as separate queries, but how do I combine them into a single table?

Tags (1)
0 Karma

jplumsdaine22
Influencer

Lots of ways to do this. One method is just using eval (you may need to adjust this based on your field names eg department)

<yoursearch> earliest =-90d@d | eval UniqueUsersNinetyDays =if(_time<relative_time(now(),"-30d"),user,NULL) |eval UniqueUsersThirtyDays=if(_time>relative_time(now(),"-30d"),user,NULL)|   stats dc(UniqueUsersNinetyDays) as UniqueUsersNinetyDays dc(UniqueUsersThirtyDays) as UniqueUsersThirtyDays by department| eval Ratio=UniqueUsersNinetyDays/UniqueUsersThirtyDays

You could also run a couple of subsearches, or use eventstats. As a newbie, I highly recommend you get familiar with stats, chart and eval. The documentation for these commands is great.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Stats
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Chart
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval

Also search for those commands on splunk answers - there are lots of real world examples

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...